The Trump administration is exploring ways to replace the use of Social Security numbers … in the wake of consumer credit agency Equifax Inc.’s massive data breach … according to Rob Joyce, special assistant to the president and White House cybersecurity coordinator.…Joyce’s comments came as former Equifax CEO Richard Smith testified before the House Energy and Commerce Committee. [He] said the rising number of hacks involving Social Security numbers have eroded its security value. … “The concept of a Social Security number … being private and secure -- I think it’s time … to think beyond that. … What is a better way to identify consumers?”…Joyce said officials are looking into “what would be a better system” that [uses] a “modern cryptographic identifier,” such as public and private keys.…While lawmakers were unanimous in criticizing Equifax’s response to a breach that compromised information on 145.5 million U.S. consumers, they were divided on how to fix the underlying issue. Democrats on the panel have reintroduced legislation imposing requirements for when companies have to report data breaches, while Oregon Republican Greg Walden noted … “you can’t fix stupid.”

It would be fair to ask what your Social Security number is even good for anymore. It's no longer really a secret form of identification, so let's think of something else.…Major data breaches often spur complaints that [it] was never intended to be a universal form of identification. … If we phase out Social Security numbers, though, we'll need something that won't just get compromised all over again.

But do infosec mavens agree? Does DropBear drop in the woods? [You’re fired -Ed.]

It boggles the mind. … What kind of idiot goes "you need to keep this number secret from strangers except of course any official of any organization who might conceivably need to ask for it, because those are all Good Guys"?!?

My name and SSN are assigned to me. I cannot choose or change them. Thus, they should have no business value, esp no value in the credit / financial context.

My address, my employment, my family are essentially fixed as well. Again - this data could be public. It should have no value.…Stopping the criminals won't work - as long as there is anything of value, there will be intent and crime to get it. The value itself must change.

The intruders used techniques that have been linked to nation-state hackers in the past. [Equifax] employees used to joke that [it] was just one hack away from bankruptcy.…On March 10, hackers scanning the internet … got a hit on an Equifax server in Atlanta, according to people familiar with the investigation. … They may not have immediately grasped the value of their discovery, but … that first group—known as an entry crew—handed off to a more sophisticated team of hackers.…The handoff to more sophisticated hackers is among the evidence that led some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say [it] has the hallmarks of similar intrusions [that] were ultimately attributed to hackers working for Chinese intelligence.…Others involved in the investigation aren't so sure, saying the evidence is inconclusive at best [or] that there is evidence that a nation-state may have played a role, but that it doesn't point to China.

Still, here’s some good news. It’s National (ahem) Cybersecurity Awareness Month again, thanks to NCSA and the DHS:

This October marks the 14th annual National Cyber Security Awareness Month … a far-reaching online safety awareness and education initiative co-founded and led by the National Cyber Security Alliance … and the U.S. Department of Homeland Security.…We all need to do our part to be safer online and, when we do, we make the internet more secure for everyone.

Except that awareness does not change behaviors. Month or century - not helping. We need a change of focus-from awareness to behaviour training. And to relearn that there is no such thing as 100% security. Especially with people.

And Finally…

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.